DDOS Attacker Caught in the Act


Before the  telescope, planets and stars were just dots of light to the human eye.

Before the invention of X-rays, and the MRI, doctors often could not determine the cause of a problem until a person was in an autopsy room.

Today, there is no reason to remain blind to DDOS and Hacking intrusions.

This morning I got a text message from our training engineer at a customer site.

“Just stopped a Chinese DDOS attack at the #### school”

Our training engineer was not even doing a security audit,  he  was simply walking through the features of our product  .  He had scrolled over to our DDOS monitoring tool, and right away this attack popped out. It was as clear as a large cancerous tumor in an MRI.   He noticed an outside entity  was bombarding the customer link with all kinds of queries.

The attacker stood out,  because our DDOS tool singles out un-invited queries, as well as giving you a count of how often they are hitting your enterprise.

Our Engineer then checked the source of the incoming IP, and thus removed any lingering doubt that this was hostile attack. The requests were originating in China.

It turned out this was not technically a DDOS attack.  The attacker happened to be hitting port 22, probing for login vulnerability on all the servers inside the school. It was obviously a Bot from the frequency of the incoming requests. Combining  the frequency of hits with the fact that it was an un-invited outside IP address, it stood out like a sore thumb in our DDOS monitor (easily flagged)

The IT administrator at the school was then able to block the IP, averting any further shenanigans from this hacker.

If a person showed up at your front door wearing a ski mask with an AK-47 you would likely not let them in right. The point it is , it should not be expensive or impractical for the average layman to spot an a security risk on a network. You just need a tool that exposed them, they are very obvious to a simple tool like our DDOS monitor.

If they showed up at your front door wearing a ski mask with an AK-47 you would likely not let them in.  I know that sounds a bit extreme but a typical attacker will be that obvious to your DDOS security tool, if you have one in place and can easily be flagged.

Here is another detailed article on stopping DDOS attacks.

Dear Comcast, Please Stop Slowing my iOS Update


Last week I was forced to re-load my iPad from scratch. So I fired it up and went through the routine that wipes it clean and re-loads the entire OS from the Apple cloud.  As I watched the progress moniker it slowly climbed from 1 hour, then 2 hours, then all the way up to 23 hours –  and then it just stayed there. Now I know the iOS, or whatever they call it on the iPad, is big, but 23 hours big?  I double-checked the download throughput on my NetEqualizer status screen, and sure enough, it was only running at about 60 to 100kbs, no where near my advertised Business Class 20 megabits. So I did a little experiment. I turned on my VPN tunnel, unplugged my iPad for a minute, and then took some steps to hide my DNS (so Comcast had no way to see my DNS requests).  I then restarted my update and sure enough it sped up to about 10 megabits.

To make sure I was not imagining anything I repeated the test.

Without VPN  (slow)

With VPN (fast)

So what is going here, does the VPN make things go faster?   No not really, but it does prevent Comcast from recognizing my iOS update from Apple and singling it out for slower bandwidth.

Why does Comcast (allegedly) shape my download from Apple?

The long story behind this basically boils down to this: it is likely that Comcast really does not have a big enough switch going out to the Internet to support the deluge of bandwidth needed when a group of subscribers all try to update their devices at once.  Especially during peak hours!  Therefor, in order to keep basic services from becoming slow, they single out a few big hitters such as iOS updates.

NetEqualizer News: July 2015


July 2015

Greetings!

Enjoy another issue of NetEqualizer News! This month, we highlight exciting 8.3 Release features, talk about our experience at edAccess’s Vendor Day, encourage you to sign up for a Tech Refresh, spotlight our Hotel & Resorts offering, and update you on the NetEqualizer DDoS monitoring and prevention tool. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

Now that summer arthas officially arrived, we are ready for the heat in Colorado. It has been unusually rainy and cloudy here in July so far, and I would like more sunshine please!

Speaking of heat, this month we turn the heat up on several of our new features in 8.3, which are spotlighted below. 8.3 has been G/A since early June, in case you missed it. We also want you to take a Summer Course, no tests involved, and update you on Art’s latest visit back to school, namely the edAccess Conference. And finally, if you need relief from the heat of potential DDoS attacks, you have come to the right place. Our DDoS Monitor and Firewall can help! Read more below.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@apconnections.net. I would love to hear from you!

Spotlight: 8.3 Release Hot New Features

8.3 has been G/A since early June, and we have been receiving a lot of positive feedback on the new RTR reports. If you have not yet requested 8.3, what are you waiting for? Click here to request an upgrade to 8.3 from our support team.

This month, we are highlighting two features available in 8.3 – Historical and Active Penalty Tracking. We also talk our activated Management Port, a feature available on all new NetEqualizers!

One of the best features in the 8.3 release is increased visibility into how your NetEqualizer is penalizing traffic. We’ve added interfaces to the 8.3 release that allow you to see both the number of penalties enforced on your network historically, as well as all of the current connections that are being penalized.

Historical Penalty Tracking

The General Penalty Reports page under the Traffic History menu shows the number of penalties enforced on your network at a given point in time. This allows you to see when connections on your network were being Equalized.

penalties

Active Penalty Tracking

The View Active Penalties page under the Active Connections menu shows which connections are currently being Equalized along with their current state (New, Increased, or Decreased). This allows you to diagnose any performance issues and also gives you a real time look at how the penalties are being enforced and who they are being enforced on.

activepenalties

Management Port Enabled by Default on all NEW NetEqualizers

We strive to make setting up the NetEqualizer as simple as possible. In this spirit, last year we moved all new NetEqualizers to a four port model, and started using colored port plugs to help our customers identify the ports. Two ports (eth0 and eth1) are used for network traffic, a 3rd port (eth2) is used as a management port, and the 4th port is a spare. We use four colors: 1) blue (WAN), 2) orange (LAN), 3) clear (Management Port) and 4) black (unused).

Prior to 8.3, only a subset of our customers used the Management Port, typically those on VLANs. As of 8.3, we standardized everything so that our NetEqualizer code automatically enables the Management Port, and ALL customers will use this to configure new NetEqualizers. While not a huge change, we think this will make setup just a little bit easier for everyone.

Please note that this feature is only available on new NetEqualizers.

You can read more about all of the features of the 8.3 Release here in the 8.3 Software Update. If you would like to upgrade to 8.3, just click on the button below to send a request to Support.

contact_us_box-1

These features are free to all customers with valid NetEqualizer Software and Support. If you are not current with NSS, contact us today!


We Had a Blast at edAccess!

Art recently joined the edAccess Conference in Mercersberg, PA on June 24th for Vendor Day. It was a great event and was well-attended by small schools and colleges (members come from schools with an FTE of under 1,000 students).edaccess

Art got to visit with quite a few current NetEqualizer customers, as you can see in the picture below:

SubstandardFullSizeRender

Art is on the left of the picture and is shown along with representatives from Williston Northampton School, Choate Rosemary Hall, Blair Academy, Mt. St. Mary Academy, Merceyhurst University, Peddie School, and Groton School.

Art would like to personally thank everyone for a great event…

I’d like to thank John Johnson from Williston Northampton School, Rainelle Dixon from Mercersberg Academy and the entire edAccess steering committee for being such wonderful hosts to the vendors. Mercersburg is such a lovely campus and my drive through central Pennsylvania was also relaxing and fun, I took some time on my return stopping at the various waysides, and even took in a game, featuring the Single A Crosscutters of Williamsport.

Thanks Again!

To learn more about NetEqualizer and how we help educational institutions of all sizes, click below.

contact_us_box-1


Take a Summer Course! Sign Up for a Tech Refresh

Remember those days? If you ever took a summer course, you know that the key was to keep it short, so that you could get back outside. Our NetEqualizer Technical Refresh is short! – only a 30 minute discussion with you and your fellow team members to help get caught up on new NetEqualizer functionality or answer any other questions you have.

The Tech Refresh is great for both new and longtime customers because we are constantly enhancing our product to give you the most value in managing and shaping bandwidth.

To schedule your Tech Refresh, contact us today!

contact_us_box-1

Tech Refreshes are free to all customers with valid NetEqualizer Software and Support. If you are not current with NSS, contact us today!


Spotlight: GX2 – NetEqualizer Hotel & Resort Industry Wi-Fi Partner

NetEqualizer’s Wi-Fi management partner for the hotel and resort industry, GX2 (formerly Global Gossip), recently attended the HITEC 2015 Conference in Austin, Texas, and brought along the NetEqualizer. According to their website, HITEC is the world’s largest hospitality conference.hmsio

Visitors to GX2’s booth and luncheon were able to review the NetEqualizer offering, and also walk away with some trade show bling (a foam NetEqualizer soccer ball!).

Here is a screenshot of the GX2 application used in the managed Wi-Fi service offering:

gx2_screen

As we have reported here in the past, GX2 utilizes the NetEqualizer as part of their Wi-Fi offering supporting our National Parks. So, if you have a summer vacation planned at Yellowstone, Mammoth, Mount Rushmore, Zion, Crater Lake, or the Grand Canyon, to name a few, chances are you are experiencing the benefits of NetEqualizer’s traffic shaping.

If you are already on our technology, you have part of the solution already in place. If you have ever wanted to learn more about a managed service Wi-Fi solution for the Hotel & Resort industry, you can read about our joint offering (HMSIO).

contact_us_box-1


NetEqualizer DDoS Tool Gaining Momentum

We keep getting reports of ongoing Distributed Denial of Service (DDoS) attacks from our customers, and are glad to hear the NetEqualizer is helping in many cases. If you are interested in chatting about using the NetEqualizer as a DDoS prevention tool please contact us to set up a time to chat.

Note: We do have a consulting charge for custom activation of firewall rules, but the initial consult is free.

The 8.3 Release includes our DDoS Monitor at no extra charge! In addition, our new DDoS Firewall tool (DFW) can be purchased as an add-on module for an additional fee.

ddos

The new DDoS Monitor shows you some basic metrics on the outside intrusion hit rate into your network. It can be used to spot anomalies which would indicate a likely DDoS attack in progress. The DDoS Firewall tools helps to actually thwart the attack.

contact_us_box-1


Best Of The Blog

Is Your Bandwidth Controller Obsolete Technology?

By Art Reisman – CTO – APconnections

Although not free yet, bandwidth contracts have been dropping in cost faster than a bad stock during a recession. With cheaper bandwidth costs, the question often arises on whether or not an enterprise can do without their trusty bandwidth controller.

Below, we have compiled a list of factors that will determine whether or not Bandwidth Controllers stick around for a while, or go the route of the analog modem, a relic of when people received their Internet from AOL and dial up…

Photo Of The Month
IMG_2407
Cinque Terre, Italy
This picture was taken by one of our staff while walking the trail that connects the five towns of the Cinque Terre on the coast of Italy. These towns are built into the sides of the tall hills that meet the sea. The trek between each town is a manageable 2 miles and provides picturesque views of the water and surrounding forests.

How to get Access to Blocked Internet Sites and Blocked Video Services


Have you ever taken a flight where video access is blocked?

Perhaps you are in a European Country where a well known provider blocks Skype to force you to use their phone service?

All you need to get around these suspect practices is to use a standard VPN, and it is easier than you think. I am on a flight right now and am going to try watching a movie. I am using IPvanish, but there are many VPN services you can choose from, and use for just a few dollars a month.

Just today, I was trying to restore my iPad to factory defaults. I supposedly have 20 megabit business service from Comcast.  While running the restore, I noticed that my download speed was running at about 200kbs max, and yet speedtests were showing no problems with my connection. So I rebooted my computer, started up my VPN, and found out that I am not getting my full 10 megabits.  What can I infer from this ? Well, I can only assume that Comcast has some sort of bandwidth control and is identifying my Apple device download and slowing it down. I was able to repeat this test.

By the way, I did get to watch a movie on my flight – success!  And that was a much needed break from work.

Note: There is one more trick required to un-block for some VPN services and some  streaming sites.  You may need to hide your DNS activities as well, since some blocking services will also block the DNS request before you even get to the site.

For example, the VPN tunnel will hide what you are doing from anybody, but the initial lookup service to get the site may not be hidden, because you are likely using by default your provider(s) DNS service. So, you should also set your DNS service to a third party site other than your provider after you fire up your VPN. In this way DNS requests should also be encrypted.

Behind The Scenes , How Many Users Can an Access Point Handle ?


Assume you are teaching a class with thirty students, and every one of them needs help with their homework, what would you do? You’d probably schedule a time slot for each student to come in and talk to you one on one (assuming they all had different problems and there was no overlap in your tutoring).

Fast forward to your wireless access point.  You have perhaps heard all the rhetoric about 3.5 gigaherts, or 5.3 megahertz ?

Unfortunately, the word frequency is tossed around in tech buzzword circles the same way car companies and their marketing arms talk about engine sizes. I have no idea what 2.5 Liter Engine is,  it might sound cool and it might be better than a 2 liter engine, but in reality I don’t know how to compare the two numbers. So to answer our original question, we first need a little background on frequencies to get beyond the marketing speak.

A good example of a frequency, that is also easy to visualize, are ripples on pond. When you drop a rock in the water, ripples propagate out in all directions. Now imagine if  you stood in the water, thigh deep across the pond,  and the ripples hit your leg once each second.  The frequency of the ripples in the water would be 1 hertz, or one peak per second. With access points, there are similar ripples that we call radio waves. Although you can’t see them, like the ripples on the water, they are essentially the same thing. Little peaks and values of electromagnetic waves going up and down and hitting the antenna of the wireless device in your computer or Iphone. So when a marketing person tells you their AP is 2.4 Gigahertz, that means those little ripples coming out of  it are hitting your head, and everything else around them, 2.4 billion times each second. That is quite a few ripples per second.

Now in order to transmit a bit of data, the AP actually stops and starts transmitting ripples. One moment it is sending out 2.4 billion ripples pdf second the next moment it is not.  Now this is where it gets a bit weird, at least for me. The 2.4 billion ripples a second really have no meaning as far as data transmission by themselves; what the AP does is set up a schedule of time slots, let’s say 10 million time slots a second, where it is either transmitting ripples, or it turns the ripple generator off. Everybody that is in communication with the AP is aware of the schedule and all the 10 million time slots.  Think of these time slots as dates on your Calendar, and if you have a sunny day, call that a one, while if you have a cloudy day call that a 0.  Cloudy days are a binary 1 and clear day a binary 0. After we string together 8 days we have a sequence of 1’s and 0’s and a full byte. Now 8 days is a long time to transmit a byte, that is why the AP does not use 24 hours for a time slot, but it could , if we were some laid back hippie society where time did not matter.

So let’s go back over what we have learned and plug in some realistic parameters.
Let’s start with a frequency of 2.4 gigahertz. The fastest an AP can realistically turn this ripple generator off and on is about 1/4 the frequency or about 600 time slots/bits per second. This assumes a perfect world and all the bits get out without any interference from other things generating ripples (like your microwave) or something. So in reality the effective rate might be more on the order of 100 million bits a second.
Now let’s say there are 20 users in the room, sharing the available bits equally. They would all be able to run 5 megabits each. But again, there is over head switching between these users (sometimes they talk at the same time and have to constantly back off and re-synch)  Realistically with 20 users all competing for talk time,  1 to 2 megabits per user is more likely.

Other factors that can affect the number of users.
As you can imagine the radio AP manufacturers do all sorts of things to get better numbers. The latest AP’s have multiple antennas and run in two frequencies (two ripple generators) for more bits.

There are also often interference problems with multiple AP’s in the area , all making ripples . The transmission of  ripples for one AP do not stop at a fixed boundary, and this complexity will cause the data rates to slow down while the AP’s sort themselves out.

For related readings on Users and Access Points:

How Many Users Can a Wireless Access Point Handle?

How to Build Your Own Linux Access Points

How to use Access Points to set up and In-Home Music System

Does Your School Have Enough Bandwidth for On-line Testing?


K through1 2 schools are all rapidly moving toward “one for one” programs, where every student has a computer. Couple this with standardized, cloud-based testing services and you have the potential for an Internet gridlock during the testing periods. Some of the common questions we hear are:

How will all these students using the cloud affect our internet resource?

Will there be enough bandwidth for all those students using on-line testing?

What type of QOS should we deploy, or should we buy more bandwidth?

The good news is that most cloud testing services are designed with a fairly modest bandwidth footprint.

For example, a student connection to a cloud testing application will average around 150kbs. (kilo-bits per second)

In a perfect world, a 40 megabit link could handle about 400 students simultaneously doing on-line testing as long as there was no other major traffic

On the other hand, a video stream may average 1500kbs or more.

A raw download, such as an IOS update, may take as much as 15,000kbs, that is 100 times more bandwidth than the student taking an on-line test.

A common belief when choosing a bandwidth controller to support on-line testing is to find a tool which will specifically identify the on-line testing service and the non-essential applications, thus allowing the IT staff at the school to make adjustments giving the testing a higher priority ( QOS) Yes this strategy seems logical but there are several drawbacks

  • It does require a fairly sophisticated form of bandwidth control and can be fairly labor intensive and expensive.
  • Much of the public Internet traffic may be encrypted or tunneled , and hard to identify.
  • Another complication trying to give Internet traffic traditional priority is that a typical router cannot give priority to incoming traffic, and most of the test traffic is from the outside in. We detailed this phenomenon in our post about QOS and the Internet.

The key is not to make the problem more complicated than it needs to be. If you just look at the footprint of the streams coming into the testing facility, you can assume, from our observation, that all streams of 150kbs are of a higher priority than the larger streams, and simply throttle the larger streams. Doing so will insure there is enough bandwidth for the testing service connections to the students. The easiest way to do this is with a heuristic based bandwidth controller, a class of bandwidth shapers that dynamically give priority to smaller streams by slowing down larger streams.

The other option is to purchase more bandwidth, or in some cases a combination of more bandwidth and a heuristic based bandwidth controller, to be safe.

Please contact us for a more in-depth discussion of options.

For more information on cloud usage in K-12 schools, check out these posts:

Schools View Cloud Infrastructure as a Viable Option

K-12 Education is Moving to the Cloud

For more information on Bandwidth Usage by Cloud systems, check out this article:

Know Your Bandwidth Needs: Is Your Network Capacity Big Enough for Cloud Computing?

NetEqualizer News: June 2015


June 2015

Greetings!

Enjoy another issue of NetEqualizer News! This month, we announce the 8.3 Release – Expanded RTR, introduce our End of Spring Sale, update you on our DDoS monitoring and prevention technology, and preview our upcoming seminars and conferences. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

Spring has been interesting in Colorado this year – artif you like to set records for the most rain in 20 years, that is! Luckily, one of my favorite TV channels is The Weather Channel, so I have been enjoying all the storms… With spring coming to an end soon, I look forward to warmer summer weather.

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at art@apconnections.net. I would love to hear from you!

8.3 Release is G/A

We are very excited to announce that our 8.3 Release – Expanded RTR is now generally available!

The beta tests for the 8.3 Release have gone very well, and we are ready to release the new reporting features to everyone! Here is a comment from one of our beta customers:

“One of the things that really got my attention on the new 8.3 Release was the ability to see, in real-time, the traffic on all my subnets on one screen. I simply created a pool for all the subnets in my network, and I can instantly see the saturation in the dynamic bar charts that update once a second. I know instantly which segments are saturated by glancing at my monitor screen.”

This release expands our current reporting features to include even more useful information, graphs, and tables. Here are just a few of the new additions you’ll find in the 8.3 Release:

1) Top Talkers Report – this has been one of the most requested graphs and was a popular feature of our previous reporting tool, ntop. You can use this feature to see which IP addresses have used the most bandwidth over time.

toptalkers

2) General Penalty Report – we are bringing this one back from the first version of RTR! You can see both IPs that are currently being penalized, as well as a historical count of penalties that have occurred over time.

penalties

3) Connection Count Report – NetEqualizer controls P2P traffic by using connection count limits on IP addresses. However, figuring out what limit to set for your network depends on how it’s used. You can use the new Connection Count Report to see how many connections individual IP addresses have, and thus set your connection limit to the appropriate level.

connectioncounts

You can read more about all of the features of the 8.3 Release here in the 8.3 Software Update. If you would like to upgrade to 8.3, just click on the button below to send a request to Support.

contact_us_box-1

These features are free to all customers with valid NetEqualizer Software and Support. If you are not current with NSS, contact us today!


Spring for a Lease in our End of Spring Sale

Our Leasing Program continues to be a popular choice for customers that want to use a NetEqualizer with no long-term leasecommitment, and also want to spread out their costs over each month instead of incurring one upfront expense. If you have ever considered leasing a NetEqualizer, now is the time!

To celebrate two years of the NetEqualizer Leasing Program, all new NetEqualizer Leases started before August 31st, 2015 will get 50% off the 1st month fee.

This offer is subject to availability, and customers must qualify to participate in our Leasing Program.

We also are excited to announce that we have added fiber connectivity to our leasing program, in both the 1Gbps and 10Gbps levels. And, to provide more flexibility in financing for our larger customers, we are now offering an Enterprise-Level Lease, for customers with more than 10,000 end users.

If you are interested in learning more, you can read the details of our Leasing Program here, or contact us below.

contact_us_box-1


DDoS Update

The 8.3 Release also includes our recent Distributed Denial of Service (DDoS) Monitor at no extra charge! In addition, our new DDoS Firewall tool (DFW) can be purchased as an add-on module for an additional fee.

Here are some tips from our security experts for how to handle DDoS attacks, or stop them in the first place:
• Lock out unexpected geographies – Most businesses do not need global availability for their websites.
• If an attack occurs, look for fraud – Sometimes DDoS attacks can be smokescreens for other breaches.
• Route traffic through a system like CloudFlare – Their vast network can help thwart bandwidth overloads.
• Have a plan – Build DDoS into your Disaster Recovery Plan, and know who to call when an attack occurs.

The NetEqualizer can help you have a plan.

The new DDoS Monitor, which comes standard, shows you some basic metrics on the outside intrusion hit rate into your network. It can be used to spot anomalies which would indicate a likely DDoS attack in progress.

See our detailed blog article on the subject for how this technology works. Here is a screenshot of the DDoS Monitor dashboard:

ddos

If you decide you need something more proactive to mitigate a DDoS attack, we have a solution for you! For a one time charge of $3,500, which includes one hour of training and consulting, we install our DDoS Firewall (DFW) feature, which can be configured to block standard DDoS attacks.

contact_us_box-1


NetEqualizer Tech Seminars and Conferences

Our CTO, Art Reisman, will be on-site at Mercersburg Academy in Mercersburg, Pennsylvania during edACCESS Vendor Day, June 24th.edaccess

If you have ever been curious about the NetEqualizer, and want to learn more, stop by to talk to Art. We also look forward to visiting with customers as well, so please come by and say hello. You might even get some free NetEqualizer bling from Art!

If you cannot attend the edACCESS conference, but are in the area of South Central Pennsylvania, and would like to meet with Art, email him at:

art@apconnections.net

Art will be in the area for a few days after the conference as well.

How do you tell if edACCESS is right for you? Their mission is to provide support and networking for information technology staff at secondary schools and small colleges. Most edACCESS members come from schools with an FTE of under 1,000 students. So, if that sounds like you, consider attending the 2015 edACCESS Conference.

If you have never been to an edACCESS Conference, you might not know that they are purposely run small (100 attendees maximum) and that they use the peer conference mode.

Here is what they say on the edACCESS website:

“Each edACCESS conference is small, responsive, and participant-driven. Small, because edACCESS conferences are limited to one hundred attendees. Responsive, because half the conference is spent discussing topics chosen by attendees through a careful first-day process. Participant-driven, because we believe that, collectively, we are the experts.”

We hope to see you there!

contact_us_box-1


Best Of The Blog

The Facts and Myths of Network Latency

By Art Reisman – CTO – APconnections

There are many good references that explain how some applications such as VoIP are sensitive to network latency, but there is also some confusion as to what latency actually is as well as perhaps some misinformation about the causes.

In the article below, we’ll separate the facts from the myths and also provide some practical analogies to help paint a clear picture of latency and what may be behind it…

Photo Of The Month
IMG_0997
Brighton Beach, UK
This picture was taken by one of our staff on Brighton Beach, UK during our recent Tech Seminar. Brighton Beach features Brighton Pier, which is a pleasure pier that opened in 1899. Here, the ride operators are shown taking a break from work.
Follow

Get every new post delivered to your Inbox.

Join 57 other followers

%d bloggers like this: